How does sandbox evasion work in malware, and why do attackers use sleep functions to delay execution? Learn how time-based sandbox evasion techniques help malware bypass security analysis—essential for CompTIA Security+ (Plus) SY0-701 exam success.
Table of Contents
Question
Malware includes a sleep function before executing malicious actions to evade security analysis. What is this technique called?
A. Code obfuscation
B. Sandbox evasion
C. Rootkit injection
D. DLL hijacking
E. API hooking
Answer
B. Sandbox evasion
Explanation
Malware detects if it’s running in a sandbox and delays execution to bypass security analysis.
The technique where malware includes a sleep function before executing malicious actions to evade security analysis is called sandbox evasion.
Sandbox evasion refers to a set of techniques used by malware to avoid detection by automated analysis environments, such as sandboxes and virtual machines, which security tools use to observe suspicious files before allowing them onto a network.
One of the most common sandbox evasion strategies is time-based evasion, where the malware deliberately delays execution—often by calling sleep functions or introducing artificial delays—so that it remains inactive during the limited analysis window of the sandbox.
Sandboxes typically monitor programs for only a few minutes. By sleeping or stalling, malware can “outwait” the sandbox, escaping detection and appearing benign during analysis.
Once the sandbox analysis ends and the file is released to a real environment, the malware wakes up and executes its malicious payload, bypassing the initial security controls.
Real-world malware families, such as TrickBot and Lockfile ransomware, have used this tactic successfully, leveraging sleep commands or complex timing logic to evade detection.
Sandbox evasion techniques, especially those involving sleep or delayed execution, are designed to bypass security analysis by remaining dormant until after sandbox monitoring has ended.
CompTIA Security+ (Plus) SY0-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA Security+ (Plus) SY0-701 exam and earn CompTIA Security+ (Plus) SY0-701 certification.